Tina CMS Symlink Path Traversal Vulnerability in Media Routes

A path traversal vulnerability has been identified in Tina CMS versions prior to 2.2.2. The issue arises in the media handling of the @tinacms/cli package, where symlink and junction targets are not properly resolved before performing filesystem operations. This oversight allows paths that lexically appear to be within the media directory to access files outside of it, leading to unauthorized file listing, writing, and potentially deletion. The vulnerability is particularly relevant in development environments where the media directory may contain intentional or unintentional symlinks or junctions.

Impact

Exploitation of this vulnerability allows for out-of-root file listing, writing, and deletion via the media endpoints, bypassing the application's path traversal protections.

Reproduction

The vulnerability can be reproduced by creating a junction or symlink within the media root that points to a location outside of it. After placing a file in the external location, the Tina CMS media path validation will incorrectly allow access to the file through the symlink, demonstrating the traversal flaw. This can be automated with a script that sets up the junction and the test file, then calls the media list, upload, and delete operations through the Tina CMS media API.

Remediation

Users can update to Tina CMS version 2.2.2 or later, where this vulnerability has been patched.